Cisco sacrifices iron, pushes gateway protection into cloud

Umbrella takes the edge of enterprise network defence

Cisco's decided that the network perimeter is the wrong place for a Web gateway, so it's floating one into the cloud.

Switchzilla, bowing to the inevitable decomposition of products into software, is pouring scorn on hardware gateways as inadequate and insecure as part of the pitch for its new "Umbrella" product.

As a cloud-based secure internet gateway (SIG), Umbrella “stops current and emergent threats over all ports and protocols for the most comprehensive coverage. It blocks access to malicious domains, URLs, IPs, and files before a connection is ever established or a file downloaded.”

There are two other problems the company points to as falling outside a product deployed at the enterprise gateway: companies no longer “trombone” their branch office traffic to head office for Internet access; and individuals working remotely probably don't VPN to head office for Internet access.

For both these use-cases, Cisco reckons clouding the gateway is the answer. Instead of users suffering the performance penalty of shipping all their traffic through head office, Umbrella decentralises the security services they need.

Here's the checkbox list Cisco offers for Umbrella:

”Visibility and enforcement on and off the corporate network, even when users are off the VPN and without backhauling all traffic to the corporate network;

”Open platform with a bidirectional API to integrate with your existing security stack;

and

Discovery and control of SaaS applications.

SaaS discovery is delivered by integration with Cisco's CloudLock platform.

To make the rollout painless for users, Umbrella uses Anycast routing: “every data centre announces the same IP address so that requests are transparently sent to the fastest available with automated failover to maintain 100 percent uptime.”

Not to mention that it's a lot easier to direct users through a security system via DNS addressing than asking them to remember to click on a VPN application before they connect.